Solved: [ 400 ] Bad Request,The request is invalid due to malformed syntax

adel dardari · ‎05-25-2023

Hi All,

I am working on a migration and upgrade for CISCO ISE nodes in distributed setup: i have 3 x primary CISCO ISE Nodes running on version 2.4 (PAN/PSN/MNT) and 3 x Secondary CISCO ISE Nodes (SAN/PSN/MNT) that we just migrated and used Version 3.0 ( so we ended up with two separate clusters )

The services we have in place are guest and BYOD access. we have couple of WLC 9800 at the site.

for the sake of testing, we changed the priority on WLC for AAA configuration to have only the secondary CISCO ISE PSN IP Address, and we changed the guest portal DNS to point at PSN and verified that the end user got the correct DNS configurations.

When the end user tries to connect to guest SSID, we see the traffic hitting ISE and a redirection policy is assigned to the user. This policy got the guest portal FQDN as part of the value pairs that it sends to WLC but then, nothing happen. we went on troubleshooting why the user is not getting redirected to the guest portal.

To fix this , we hard-coded the IP Addresses of PSN in the redirection policy and that worked. The user was able to reach the portal , register and got access.

It seems that when the WLC is receiving a redirection value pairs, i am doubting that somehow, WLC is pointing the user to the primary ISE Node (V2.4) , and once that happen, ISE 2.4 doesn't have a session and it drops it.

I wanted to know if this logic is correct and how to fix it

Thanks

adel dardari · ‎05-31-2023

just an update , i think we were able to troubleshoot the issue and it was around DNS , the DNS policies had a more specific setup ( zone based) which could be only viewed via command line not GUI, so we were basically making changes to a default DNS rather than the zone DNS. we will test it tonight and see how it goes. appreciate the support

View solution in original post

Nancy Saini · ‎05-25-2023

Based on the description provided, WLC is first contacting the 2.4 deployment. Can you check what is the first PSN defined on the guest SSID? If that is not the case then enable client debugs on the WLC and check why the RADIUS request is going to incorrect PSN.

Also, try creating a new SSID and check?

Arne Bier · ‎05-25-2023

The FQDN in the URL redirection given to the guest endpoint MUST then resolve to the IP address of the PSN that handled the WLC MAB request. That's what must happen.

Arne Bier · ‎05-25-2023

oh - and don't forget to check the ACL on the WLC - this must be appropriate to the PSNs used for redirection. That might be the issue

adel dardari · ‎05-25-2023

We ensured that in WLC, under AAA Servers, there is only 1 x PSN configured. We could see the initial traffic hitting the correct PSN and the user was getting an authorization profile assigned to get redirected.

on the ACL for WLC, does the sequence matter ? i.e i got sq 1 ==> allow psn 2.4 , sq 2 ==> allow psn 3.0 , does it affect routing and thus i have to flip them ?

Arne Bier · ‎05-25-2023

It's been a while since I have looked at 9800 ACLs for ISE Portal Redirection - but it was the opposite logic to how the old AireOS does it.

The ACL on the 9800 for URL Redirection must contain "deny" statements for ISE PSN's (TCP/8443) and DNS. The only permit statement is at the bottom for TCP/80 - because that is the only time you don't want to redirect the traffic. The logic is bizarre

Have a look here.

adel dardari · ‎05-31-2023

just an update , i think we were able to troubleshoot the issue and it was around DNS , the DNS policies had a more specific setup ( zone based) which could be only viewed via command line not GUI, so we were basically making changes to a default DNS rather than the zone DNS. we will test it tonight and see how it goes. appreciate the support

JuanG Gonzalez Bravo · ‎08-20-2024

Hi Adel, thanks for the update. I'm not entirely sure I understand the solution you described. I'm currently experiencing the same issue. Could you please clarify which specific commands you used to address the DNS problem? Any additional details would be greatly appreciated.